[jira] [Commented] (TS-1584) Exposing client SSL certificate verification result in plugin API
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13790022#comment-13790022 ] James Peach commented on TS-1584: - I think we can > Exposing client SSL certificate verification result in plugin API > -- > > Key: TS-1584 > URL: https://issues.apache.org/jira/browse/TS-1584 > Project: Traffic Server > Issue Type: Improvement > Components: SSL, TS API >Affects Versions: 3.3.4 >Reporter: Thach Tran >Assignee: James Peach >Priority: Minor > Labels: patch > Fix For: 5.0.0 > > Attachments: > 0001-Exposing-client-ssl-certificate-verification-result-.patch, > 0001-TS-1584-Retaining-some-info-from-client-certificate-.patch > > > I'm writing an authentication plugin for traffic server and would like to > implement the following logic: > * If the client supplies valid certificate over ssl, allow the transaction > to proceed with no further authentication. > * Otherwise challenge the client with username/password authentication. > Currently if I turn on client certificate checking in TS > (proxy.config.ssl.client.certification_level > 0), the result of the client > certificate verification happens at the SSLNetVConnection level and plugin > hooks have no knowledge of this. This makes implementing the aforementioned > logic not possible. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1584) Exposing client SSL certificate verification result in plugin API
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13789558#comment-13789558 ] Leif Hedstrom commented on TS-1584: --- [~jpe...@apache.org]What's the appropriate target fix version for this? > Exposing client SSL certificate verification result in plugin API > -- > > Key: TS-1584 > URL: https://issues.apache.org/jira/browse/TS-1584 > Project: Traffic Server > Issue Type: Improvement > Components: SSL, TS API >Affects Versions: 3.3.4 >Reporter: Thach Tran >Assignee: James Peach >Priority: Minor > Labels: patch > Fix For: 5.0.0 > > Attachments: > 0001-Exposing-client-ssl-certificate-verification-result-.patch, > 0001-TS-1584-Retaining-some-info-from-client-certificate-.patch > > > I'm writing an authentication plugin for traffic server and would like to > implement the following logic: > * If the client supplies valid certificate over ssl, allow the transaction > to proceed with no further authentication. > * Otherwise challenge the client with username/password authentication. > Currently if I turn on client certificate checking in TS > (proxy.config.ssl.client.certification_level > 0), the result of the client > certificate verification happens at the SSLNetVConnection level and plugin > hooks have no knowledge of this. This makes implementing the aforementioned > logic not possible. -- This message was sent by Atlassian JIRA (v6.1#6144)
[jira] [Commented] (TS-1584) Exposing client SSL certificate verification result in plugin API
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13586534#comment-13586534 ] James Peach commented on TS-1584: - Yes. > Exposing client SSL certificate verification result in plugin API > -- > > Key: TS-1584 > URL: https://issues.apache.org/jira/browse/TS-1584 > Project: Traffic Server > Issue Type: Improvement > Components: SSL, TS API >Affects Versions: 3.3.4 >Reporter: Thach Tran >Assignee: James Peach >Priority: Minor > Labels: patch > Fix For: 3.3.2 > > Attachments: > 0001-Exposing-client-ssl-certificate-verification-result-.patch, > 0001-TS-1584-Retaining-some-info-from-client-certificate-.patch > > > I'm writing an authentication plugin for traffic server and would like to > implement the following logic: > * If the client supplies valid certificate over ssl, allow the transaction > to proceed with no further authentication. > * Otherwise challenge the client with username/password authentication. > Currently if I turn on client certificate checking in TS > (proxy.config.ssl.client.certification_level > 0), the result of the client > certificate verification happens at the SSLNetVConnection level and plugin > hooks have no knowledge of this. This makes implementing the aforementioned > logic not possible. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1584) Exposing client SSL certificate verification result in plugin API
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13581697#comment-13581697 ] Leif Hedstrom commented on TS-1584: --- In general, most structures in the APIs are opaque to the plugin writer, and we provide Get and Set methods to access member data. I'm guessing that's what James is referring to ? > Exposing client SSL certificate verification result in plugin API > -- > > Key: TS-1584 > URL: https://issues.apache.org/jira/browse/TS-1584 > Project: Traffic Server > Issue Type: Improvement > Components: SSL, TS API >Affects Versions: 3.3.4 >Reporter: Thach Tran >Assignee: James Peach >Priority: Minor > Labels: patch > Fix For: 3.3.1 > > Attachments: > 0001-Exposing-client-ssl-certificate-verification-result-.patch, > 0001-TS-1584-Retaining-some-info-from-client-certificate-.patch > > > I'm writing an authentication plugin for traffic server and would like to > implement the following logic: > * If the client supplies valid certificate over ssl, allow the transaction > to proceed with no further authentication. > * Otherwise challenge the client with username/password authentication. > Currently if I turn on client certificate checking in TS > (proxy.config.ssl.client.certification_level > 0), the result of the client > certificate verification happens at the SSLNetVConnection level and plugin > hooks have no knowledge of this. This makes implementing the aforementioned > logic not possible. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1584) Exposing client SSL certificate verification result in plugin API
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13581099#comment-13581099 ] Thach Tran commented on TS-1584: Could you elaborate on what you mean by "an opaque structure"? I do agree that exposing more info about the client cert would be useful but as you mentioned previously, this is a starting point and there'll be chance to extend it further if needed. > Exposing client SSL certificate verification result in plugin API > -- > > Key: TS-1584 > URL: https://issues.apache.org/jira/browse/TS-1584 > Project: Traffic Server > Issue Type: Improvement > Components: SSL, TS API >Affects Versions: 3.3.4 >Reporter: Thach Tran >Assignee: James Peach >Priority: Minor > Labels: patch > Fix For: 3.3.1 > > Attachments: > 0001-Exposing-client-ssl-certificate-verification-result-.patch, > 0001-TS-1584-Retaining-some-info-from-client-certificate-.patch > > > I'm writing an authentication plugin for traffic server and would like to > implement the following logic: > * If the client supplies valid certificate over ssl, allow the transaction > to proceed with no further authentication. > * Otherwise challenge the client with username/password authentication. > Currently if I turn on client certificate checking in TS > (proxy.config.ssl.client.certification_level > 0), the result of the client > certificate verification happens at the SSLNetVConnection level and plugin > hooks have no knowledge of this. This makes implementing the aforementioned > logic not possible. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1584) Exposing client SSL certificate verification result in plugin API
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13580709#comment-13580709 ] James Peach commented on TS-1584: - Thanks for the new patch, Tach. I think that this is going in the right direction. I like TSClientCertInfo, though I would prefer that it was an opaque structure. I still believe that this API needs to be more general and extensible; for example, many applications will want to examine the full subject DN rather than just the CN. > Exposing client SSL certificate verification result in plugin API > -- > > Key: TS-1584 > URL: https://issues.apache.org/jira/browse/TS-1584 > Project: Traffic Server > Issue Type: Improvement > Components: SSL, TS API >Affects Versions: 3.3.4 >Reporter: Thach Tran >Assignee: James Peach >Priority: Minor > Labels: patch > Fix For: 3.3.1 > > Attachments: > 0001-Exposing-client-ssl-certificate-verification-result-.patch, > 0001-TS-1584-Retaining-some-info-from-client-certificate-.patch > > > I'm writing an authentication plugin for traffic server and would like to > implement the following logic: > * If the client supplies valid certificate over ssl, allow the transaction > to proceed with no further authentication. > * Otherwise challenge the client with username/password authentication. > Currently if I turn on client certificate checking in TS > (proxy.config.ssl.client.certification_level > 0), the result of the client > certificate verification happens at the SSLNetVConnection level and plugin > hooks have no knowledge of this. This makes implementing the aforementioned > logic not possible. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1584) Exposing client SSL certificate verification result in plugin API
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13580466#comment-13580466 ] Thach Tran commented on TS-1584: Add an updated patch to also expose client cert's common name and issuer name. > Exposing client SSL certificate verification result in plugin API > -- > > Key: TS-1584 > URL: https://issues.apache.org/jira/browse/TS-1584 > Project: Traffic Server > Issue Type: Improvement > Components: SSL, TS API >Affects Versions: 3.3.4 >Reporter: Thach Tran >Assignee: James Peach >Priority: Minor > Labels: patch > Fix For: 3.3.1 > > Attachments: > 0001-Exposing-client-ssl-certificate-verification-result-.patch, > 0001-TS-1584-Retaining-some-info-from-client-certificate-.patch > > > I'm writing an authentication plugin for traffic server and would like to > implement the following logic: > * If the client supplies valid certificate over ssl, allow the transaction > to proceed with no further authentication. > * Otherwise challenge the client with username/password authentication. > Currently if I turn on client certificate checking in TS > (proxy.config.ssl.client.certification_level > 0), the result of the client > certificate verification happens at the SSLNetVConnection level and plugin > hooks have no knowledge of this. This makes implementing the aforementioned > logic not possible. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1584) Exposing client SSL certificate verification result in plugin API
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502566#comment-13502566 ] James Peach commented on TS-1584: - I took a quick look and I'm generally positive. The main comment I have is that there is a lot more interesting SSL session information to expose, so we should think harder about making a more general API that can expose additional information as we want it. > Exposing client SSL certificate verification result in plugin API > -- > > Key: TS-1584 > URL: https://issues.apache.org/jira/browse/TS-1584 > Project: Traffic Server > Issue Type: Improvement > Components: SSL, TS API >Affects Versions: 3.3.4 >Reporter: Thach Tran >Priority: Minor > Labels: patch > Attachments: > 0001-Exposing-client-ssl-certificate-verification-result-.patch > > > I'm writing an authentication plugin for traffic server and would like to > implement the following logic: > * If the client supplies valid certificate over ssl, allow the transaction > to proceed with no further authentication. > * Otherwise challenge the client with username/password authentication. > Currently if I turn on client certificate checking in TS > (proxy.config.ssl.client.certification_level > 0), the result of the client > certificate verification happens at the SSLNetVConnection level and plugin > hooks have no knowledge of this. This makes implementing the aforementioned > logic not possible. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1584) Exposing client SSL certificate verification result in plugin API
[ https://issues.apache.org/jira/browse/TS-1584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13502288#comment-13502288 ] Igor Galić commented on TS-1584: +1 -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. > Exposing client SSL certificate verification result in plugin API > -- > > Key: TS-1584 > URL: https://issues.apache.org/jira/browse/TS-1584 > Project: Traffic Server > Issue Type: Improvement > Components: SSL, TS API >Affects Versions: 3.3.4 >Reporter: Thach Tran >Priority: Minor > Labels: patch > Attachments: > 0001-Exposing-client-ssl-certificate-verification-result-.patch > > > I'm writing an authentication plugin for traffic server and would like to > implement the following logic: > * If the client supplies valid certificate over ssl, allow the transaction > to proceed with no further authentication. > * Otherwise challenge the client with username/password authentication. > Currently if I turn on client certificate checking in TS > (proxy.config.ssl.client.certification_level > 0), the result of the client > certificate verification happens at the SSLNetVConnection level and plugin > hooks have no knowledge of this. This makes implementing the aforementioned > logic not possible. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira
